1 |
On Mon, Nov 30, 2009 at 12:30:51PM +0100, Antoni Grzymala wrote: |
2 |
> I reckon that missing GPG infrastructure is one of the greatest problems |
3 |
> of the Gentoo distribution esp. regarding serious corporate and academic |
4 |
> deployments. |
5 |
> |
6 |
> I can devote some time to helping with the matter. |
7 |
I would certainly like to get that GLEP series completed and out there. |
8 |
|
9 |
There are still two GLEPs in the series that have not yet made it to |
10 |
draft status: |
11 |
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/02-developer-process-security |
12 |
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/03-gnupg-policies-and-handling |
13 |
|
14 |
However the main content of GLEPS 58-61 IS ready for the council to |
15 |
approve, and are NOT blocking on the above two items. |
16 |
|
17 |
As such, I would like to present GLEPS 58,59,60,61 for final review, and |
18 |
for the council to vote on their approval during the January meeting. |
19 |
|
20 |
I'm going to summarize them here: |
21 |
GLEP58: Security of distribution ... MetaManifest |
22 |
------------------------------------------------- |
23 |
- covers all Manifests with a infra-generated parent Manifest. |
24 |
- required for end-to-end validation. |
25 |
- prevents certain package manager attacks. |
26 |
- NO day-to-day developer actions required. |
27 |
|
28 |
GLEP59: Manifest2 hash policies and security implications |
29 |
--------------------------------------------------------- |
30 |
- Add SHA512 to all Manifest files. |
31 |
- Schedule removal of SHA1, MD5, RMD160 for 6-18 months after SHA512 |
32 |
addition. |
33 |
- Be prepared to add the NIST hash contest candidates/winner. |
34 |
|
35 |
GLEP60: Manifest2 filetypes |
36 |
--------------------------- |
37 |
(Has one TODO that needs clarification). |
38 |
- Breaks down the Manifest2 filetypes into INFOrmational and CRITical. |
39 |
- If the package manager is being strict, then INFO filetypes are |
40 |
treated as CRIT filetypes. |
41 |
- INFO filetypes merely cause a warning on absence. |
42 |
- CRIT filetypes may trigger a delayed OR immediate failure of absence. |
43 |
|
44 |
GLEP61: Manifest2 compression |
45 |
----------------------------- |
46 |
- Disk space optimization for MetaManifest from GLEP58. |
47 |
|
48 |
There is a prototype of the MetaManifest code here: |
49 |
http://sources.gentoo.org/viewcvs.py/gentoo/users/robbat2/tree-signing-gleps/prototype/ |
50 |
It worked on Portage 2 years ago, but I haven't run it since then. |
51 |
|
52 |
-- |
53 |
Robin Hugh Johnson |
54 |
Gentoo Linux: Developer, Trustee & Infrastructure Lead |
55 |
E-Mail : robbat2@g.o |
56 |
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 |